The present invention relates generally to methods of maintaining network security. More particularly, the invention provides methods and systems for automatically learning new locations of known source MAC addresses. Merely by way of example, the invention has been applied to maintaining database records in a secure environment while reducing the work load of a CPU. But it would be recognized that the invention has a much broader range of applicability.
In a network environment, a network device, for example, a layer 2 bridge, contains a MAC table or forwarding database (FDB) that includes information on MAC stations connected to the network. The FDB typically contains a listing of unicast MAC addresses and an associated location for the station associated with a particular MAC address. The location of the unicast MAC address is typically a {device, port} indicator or a trunk number. The size of the FDB is a predetermined size depending on the particular applications. Merely by way of example, some layer 2 bridges have 16K FDBs. The FDB can be configured in several operational modes, such as controlled learning mode and automatic learning mode.
The controlled learning mode is utilized in some secure environments in which the network device should not automatically learn new source MAC addresses received by the device on its network ports. In controlled learning mode, when a new MAC address is seen by the device, there are several options for either forwarding or dropping the packet. In some implementations of the controlled learning mode, all packets associated with a new MAC address are dropped. In another implementation, the message is forwarded, but a message is sent to the CPU noting that the packet has a new MAC address. The CPU will attempt to authenticate the user and add the new MAC address and the location of the station to the FDB, thus learning the new MAC addresses in a controlled manner. If the new MAC address is not authenticated, the CPU does not add the address to the FDB. In yet another implementation, a packet with a new MAC address is received and the CPU is asked to authenticate the MAC address as an legitimate user and update the FDB before the packet is forwarded. A drawback associated with the controlled learning mode is that CPU resources are utilized to process every new MAC addresses that is learned. In some applications, the CPU resources are undesirably taxed during the authentication and FDB updating processes.
When the MAC address is known, but it is determined that the station is located at a new location, the station is treated as if it had a new MAC address and a message is sent to the CPU indicating that a new MAC address has been received from the given location. If authenticated, the CPU will update the existing FDB entry for this MAC address with the new location. Thus, in the controlled learning mode, the FDB content is modified and/or updated only by the initiative of the CPU.
Other network devices utilize an automatic learning mode, which operates by automatically learning each new MAC address that is seen by the network device. As a packet with a new source MAC address is received, the FDB is updated with the new MAC address and the packet is forwarded. Additionally, if a previously automatically learned MAC address has changed location, the new location of the station is automatically updated in the FDB. Of course, the automatic learning mode, which is typically used in systems with limited CPU resources, presents security problems. Thus, there is a need in the art for methods and systems adapted to provide security for the network without requiring the CPU to authenticate every new MAC address that is learned.